Timing Oracle in RSA Decryption
Description
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSSL RSA decryption contains a timing side channel enabling Bleichenbacher-style plaintext recovery across a network.
Vulnerability
Overview
A timing-based side channel exists in the OpenSSL RSA decryption implementation, affecting all RSA padding modes (PKCS#1 v1.5, RSA-OAEP, RSASVE). The flaw allows an attacker to perform a Bleichenbacher-style attack by observing processing time variations as trial messages are decrypted [1][2]. The root cause is the lack of constant-time processing in the RSA decryption code paths.
Exploitation
Scenario
In a TLS connection, RSA is used to encrypt the pre-master secret sent from client to server. An attacker who observes a genuine TLS handshake can then send a large number of crafted trial messages to the server and measure the time taken for each decryption response. Over many observations, the timing differences can be correlated to recover the original pre-master secret [1][2]. The attack requires no special authentication; the attacker only needs network access to the server.
Impact
Successful exploitation allows the attacker to decrypt the application data exchanged over the original TLS session. This compromises the confidentiality of communications that were previously considered secure. The vulnerability is rated Moderate by OpenSSL, but its practical impact is significant because it targets the core RSA key exchange used in many TLS deployments [1][3].
Mitigation
OpenSSL addressed this issue in versions 3.0.8, 1.1.1t, and 1.0.2zg (premium support) [1][3]. Users are advised to upgrade to these patched versions. There is no workaround available; the fix introduces constant-time RSA decryption to eliminate the timing oracle [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openssl-srccrates.io | < 111.25.0 | 111.25.0 |
openssl-srccrates.io | >= 300.0.0, < 300.0.12 | 300.0.12 |
Affected products
1- Range: 3.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-p52g-cm5j-mjv4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-4304ghsaADVISORY
- www.openssl.org/news/secadv/20230207.txtghsavendor-advisoryWEB
- psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003ghsaWEB
- rustsec.org/advisories/RUSTSEC-2023-0007.htmlghsaWEB
- security.gentoo.org/glsa/202402-08ghsaWEB
News mentions
1- Hitachi Energy GMS600CISA ICS Advisories